Spyware Hunters

I'm responsible for maintaining the reliability and security of a fleet of corporate PCs, and spyware is the new bane of my existence. Of course, spyware is only one of a handful of new threats to my sanity and the systems I support, and the very term spyware encompasses a variety of threats—including adware, snoopware, and malware, as Joseph Kinsella describes in "Put a Stop to Spyware," March 2005, InstantDoc ID 45268. For the sake of simplicity, in this comparative review of enterprise-ready antispyware tools, I'll use the term "spyware" to refer to all non-virus system intrusions that form this class of threats. To participate in this review, products needed to offer antispyware functionality including but not limited to automated client-agent deployment, centralized management and reporting, and automated threat scanning and removal.

In this comparative review, I take a look at five enterprise-ready antispyware tools—Computer Associates' (CA'S) eTrust PestPatrol Anti-Spyware Corporate Edition, FutureSoft's DynaComm i:scan, Omniquad's AntiSpy Enterprise Edition, Sunbelt Software's CounterSpy Enterprise, and Tenebril's SpyCatcher Enterprise. I was eager for the opportunity to review these products, which have been—in many cases—a long time coming. Administrators and users everywhere will likely welcome them with open arms. If you're wondering whether the antivirus heavyweights are joining the anti-spyware fight, the answer is yes, but at press time neither Symantec nor McAfee could participate in the review. See the sidebar "Not Ready for Prime Time" for a discussion of the enterprise antispyware offerings that we were unable to include in this review. And for information about Microsoft's recent foray into the antispyware space, see the sidebar "Microsoft's GIANT Acquisition."

How I Tested
To test these enterprise antispyware products, I created a group of four client systems and one server to act as the console and centralized management point for each product. The clients all ran Windows XP Service Pack 1 (SP1), with the exception of one system that had SP2 installed. The console system ran Windows Server 2003. Before testing any products, I installed and tracked varying collections of spyware on the client systems. After polluting the clients, I took a disk image of each system, which I used to restore the clients to their fully infected state for each product test.

eTrust PestPatrol AntiSpyware Corporate Edition
CA acquired PestPatrol in late 2004 and has added the product to its eTrust line of solutions. The components of PestPatrol are the Management Console, the Workstation Agent, the command-line scanner, and the Active Protection module. You can install the Management Console on any Pentium-based system running Windows 2003, Windows XP Professional, or Windows 2000.

I installed the console and the included PDF-format Network Administrator's Guide on the management server in less than 1 minute, then launched the software from the Start menu. Upon launch, the software notified me that new updates were available and gave me the option of downloading them immediately. After the update, the console screen opened, as Figure 1 shows. I did a quick scan of the test clients with the Log only option selected, and PestPatrol displayed all detected pests. Next, I selected the Quarantine option for detected pests and rescanned. I switched to the View logs/Clean pests tab to delete the quarantined items. While viewing either logs or quarantined items, I could double-click an entry to view more threat-specific information, contained in the product's online Pest Encyclopedia.

The software couldn't quarantine some of the detected pests, and the log told me to scan with the Delete option selected to remove those items. When I scanned once more with the Delete option selected, the software removed the remaining pests. The log files for both Quarantine and Delete operations recommended a reboot of the client workstation to finish the removal process.

I also tested PestPatrol's scheduling, exclusion, notification, and update features. I configured the client systems to run a full scan of memory, cookies, registry, and disk drives once a week and scheduled a less intensive scan to run every day. The process of scheduling client scans is straightforward, and the scans proceeded without problems on my test systems. Because the software might unintentionally identify some legitimate software as a threat, PestPatrol lets you create a list of items you want to exclude from a scan to avoid unintentional software quarantine or removal. I added Virtual Network Computing (VNC) to the list of exclusions in my test environment, and PestPatrol no longer identified it as a pest. Email alerting worked as I expected, although I would have appreciated more configurable message options. The PestPatrol console checks for updates each time you open it, and you can also manually check for updates from within the console. When the software downloads updates to the console, you must push them out to the clients. The option of scheduling both central-console and client updates would provide for better protection and less administrative interaction.

PestPatrol is an easy-to-use product that does a good job of detecting and removing spyware. CA could improve the console interface by adding simple selection and sorting enhancements. A console-managed command-line version of PestPatrol supports down-level clients such as Windows 98, but I didn't test this functionality.

eTrust PestPatrol AntiSpyware Corporate Edition

Contact: Computer Associates * 888-423-1000Web: http://www.ca.comPrice: $23 per user for 100 users; volume discounts applySummaryPros: The size of the company benefits R&D; client deployment is simple; threat detection and removal are above averageCons: Reporting mechanisms aren't thorough or flexibleRating: 3.5 out of 5Recommendation: A close runner-up in our tests. The product's user-friendly console functioned well. PestPatrol is a good option if you need to support Windows 9x clients.

DynaComm i:scan
FutureSoft was in the midst of a DynaComm i:scan product revision at the time of my testing. The enterprise product I tested addressed the criteria I specified, but it didn't incorporate registry-based and memory-based threat scanning. The personal version of DynaComm i:scan, however, contained these features. Assured by FutureSoft that registry-scanning and memory-scanning features would soon be part of the enterprise product, I agreed to a hybrid test, using the personal client to evaluate the spyware detection and removal capabilities.

When I installed the enterprise version of DynaComm i:scan, the software prompted me to specify the users who would have permission to use the product. You can populate the list of users from the domain or an individual system. The software then prompted me for an account under which the DynaComm i:scan service would run. After providing an account for the DynaComm i:scan service, the installation finished and I rebooted the server.

DynaComm i:scan's antispyware features are a subset of its overall content-security focus. The product is designed to scan storage throughout your enterprise, categorize the files it finds and—optionally—take action when it finds certain types of files. Actions range from logging to moving or deleting a file. File signatures identify problem files. The product includes a database of file signatures for spyware, as well as a collection of predefined scans (which Figure 2 shows) that look for files matching one or more file signatures. DynaComm i:scan gives you a great deal of control over file signatures, letting you create your own list of spyware or other types of offending files.

The first time I ran the Find Malware scan from the console, the product installed client service software on the targeted clients. The client service software, which runs on Windows NT and later, performs scanning locally on the client and provides configurable real-time monitoring and protection. (You can use the product to scan Win9x systems, but on Win9x systems, the console performs the scan over the network, consuming both network and console-server bandwidth.) The scan results showed numerous files that fit DynaComm i:scan's predefined malware signatures. I opened the file-scan log viewer, and by right-clicking identified files in the list I could choose to open, copy, move, or delete the items.

Although the enterprise version of DynaComm i:scan detected a number of disk-based spyware infections, I had to run the personal edition to gauge how DynaComm i:scan stacked up against the competition in terms of disk, memory, and registry threat detection and removal. DynaComm i:scan wields a lot of power, but along with the functionality comes a bit more complexity than you probably want to deal with if you're after a dedicated antispyware solution. In the end, DynaComm fared the worst in handling disk-based threats and second worst in handling registry threats, but I'm deriving these figures from the standalone tool.

Omniquad AntiSpy Enterprise Edition
Omniquad's AntiSpy is one component of the company's Enterprise Manager framework. The other components—Surfwall (Web content filtering), Inventory Tracker, Instant Remote Control, Activity Monitor, and network-security tools—are available separately. I followed the instructions in the HTML-format Install Guide to install AntiSpy on my server and clients. The documentation is extremely thorough and even includes XP SP2 client-configuration instructions. Omniquad AntiSpy Enterprise Edition uses a database back-end for which you can use either a Microsoft SQL Server or Jet database engine. I used an existing SQL Server implementation to host the AntiSpy databases, which the setup program configured.

After setting up and launching the Omniquad Enterprise Manager, which Figure 3 shows, a message prompted me to install the Desktop Control Client component. On XP, Win2K, and NT clients, you can use the Omniquad Deployment Assistant to automatically push the client out, and on Win9x clients, you can run an executable manually or via a logon script to install the client. I used the Omniquad Deployment Assistant to push the client out to my test systems. This helpful, automated deployment tool provides a lot of flexibility for targeting systems for installation. To assist with troubleshooting and asset management, the product also provides an inventory tool that creates a brief HTML hardware and software inventory list for client systems.

I performed a quick manual scan of the test client using Report Only mode, and Omniquad AntiSpy Enterprise Edition found most of the threats on the system. I used the Reports feature to see the threats that were identified on each system. Reports are available only in HTML format, but they're available to others in your enterprise without requiring additional software installation. To apply a desired set of antispyware rules, Omniquad AntiSpy Enterprise Edition uses policies targeted to usernames and computer names. Unfortunately, because of some confusion regarding groups of users and computers and an incorrect icon in the Administrator's Guide, this step required an inordinate about of time to figure out. It turns out that the product permits only one group (proprietary to this tool), to which you can add the users or computers that will apply the settings you specify.

After creating a group policy (not to be confused with Windows' Group Policy), I added my test systems and configured a scheduled scan, setting options for threat deletion and real-time protection. The product sends the policy to clients immediately unless you cancel it. In my testing, all the clients ran the scheduled scan and I viewed a report to verify that they detected and removed known spyware.

Omniquad AntiSpy Enterprise Edition performed as expected, but elements of the UI are a bit cumbersome. The product lacks some desired enterprise-level features, such as alerting and flexible reporting. On the plus side, the built-in inventory tool will be very useful to some organizations.

Omniquad AntiSpy Enterprise Edition

Contact: Omniquad * 727-547-0499Web: http://www.omniquad.comPrice: $12 per user for 100 users; volume discounts applySummaryPros: The price is attractive; additional functionality, such as inventory, is enticingCons: The product has a cumbersome UI and missed some threats in my testingRating: 3 out of 5Recommendation: AntiSpy boasts a good price and decent functionality, but its console interface needs work.

CounterSpy Enterprise
Sunbelt Software was preparing a CounterSpy Enterprise release candidate at deadline time, so I tested the beta 2 version of the product. When you run the CounterSpy Enterprise installation program, you can choose to perform a complete installation or install only the CounterSpy Enterprise Admin Console. I installed the full CounterSpy Enterprise Server on my test system, and the software prompted me to reboot upon completion.

To deploy and prepare the software in my test environment, I consulted the "Quick Start Guide" section of the PDF-format User's Guide for CounterSpy Enterprise. From the Admin Console, which Figure 4 shows, I added my test clients to the default policy and confirmed the deployment of the agent to those systems. The software deployed the agent to XP SP1 systems without incident, but on the system running SP2 I had to configure the firewall to enable file and printer sharing before the remote installation could succeed. The agent is also available as a Windows Installer (.msi) file that you can install by using other deployment mechanisms. After installing the agent, I performed a manual scan on the test systems, and because Quarantine was set as the default action for detected spyware, the product quarantined all the threats.

You can manage quarantined items on a machine-by-machine basis, or you can work with all items by accessing the Quarantine page. On the Quarantine page, I could view all quarantined items for the test systems. From there, I could drill down to get more information about each threat, including in which areas of a system it appeared. I could also perform Unquarantine and Delete operations on the quarantined objects, either systemwide or on individual machines. CounterSpy Enterprise also offers useful reports for monitoring and analyzing threats and keeping track of your progress in removing them.

You can apply different sets of rules to groups of systems by creating Policies, then applying the settings you want for each Policy. For example, I created a Policy called Delete All Threats and placed my test systems into that Policy. Then, I configured a custom scan schedule and scan settings, instructing the software to remove all threats by default. You can also configure parameters such as email notifications and allowed threats at the policy level.

I found CounterSpy Enterprise's interface to be fairly intuitive and powerful for managing antispyware protection for Windows clients. The product is designed to be an enterprise-class system and appears to have the groundwork to succeed in that category. I suffered only a couple of minor problems while testing the beta version, but nothing impeded CounterSpy Enterprise's effectiveness at spyware control.

CounterSpy Enterprise

Contact: Sunbelt Software * 727-562-0101Web: http://www.sunbelt-software.comPrice: $18 per user for 100 users; volume discounts applySummaryPros: Client deployment is smooth; reporting is impressive; CounterSpy Enterprise offers the best overall detection and cleanup functionality in our testsCons: It's a new product that's not yet been proven; it offers no Win9x client supportRating: 4 out of 5Recommendation: A good combination of functionality and usability makes CounterSpy the winner in our tests—as long as you don't have Win9x clients.

SpyCatcher Enterprise
Tenebril's SpyCatcher Enterprise consists of a Remote Management Console (RMC), an RMC Satellite, and a SpyCatcher client. When you install the RMC, a wizard walks you through the setup of distributed client communications. A PDF-format Quick Start Guide can also guide you through setup and configuration. You must first choose one of three options for client/server communications: direct network communication, networked through an FTP server, or a folder on a networked drive. The direct network communication option requires the RMC to be running for clients to connect, and the FTP option requires an intermediary FTP server, so I opted for the simple shared-folder option. After I created and tested the shared folder, the software prompted me to configure the RMC Satellite, which coordinates communication between the clients and the server. To prevent user tampering, you can password-protect the RMC satellite and hide its system tray icon.

After the wizard completed, the SpyCatcher RMC opened, as Figure 5 shows. The Quick Start Guide informed me that a SpyCatcher installer package would appear on the desktop following completion of the wizard—sure enough, it was there. I entered the license information, per the guide's instructions, and proceeded to the client installation.

The client package consists of two MSI packages, one for the application and one for settings, that you can deploy via Active Directory (AD) or a third-party deployment tool. Currently, no automated deployment mechanism is available for the client within the RMC. And to initiate communication, you must run an executable on the client either manually or via a script. I installed the clients manually and ran the executable.

After I refreshed the RMC, the clients appeared and I scheduled an immediate spyware sweep from the Clients menu. Within the interface, you can add clients to logical groups and apply various scanning, scheduling, and protection options at the group level. You can use the default groups or add and rename groups to suit your environment. I performed multiple scheduled and manual sweeps on the test clients and although the software found some spyware, SpyCatcher Enterprise didn't find a number of threats that other products identified.

The SpyCatcher RMC's base functionality boasts the centralized management capabilities of an enterprise product. However, a combination of limited deployment capabilities, kludged client/server communications, and missed threats detract from this product's effectiveness as a corporate antispyware solution.

Look to the Future
The enterprise antispyware product space is still relatively young, and that youth shows in one way or another in most of these products. Nonetheless, we're seeing an ever-increasing and immediate need for antispyware products, so you might need to choose a product today that resolves as many spyware problems as possible while keeping an eye on the future potential of the tool. Ongoing research and consistent product improvements are essential to any vendor that wants to attain and maintain an advantage over competitors. As with many products, larger vendors are better equipped to invest in the necessary research. The wild card, however, will probably be the sense of commitment a given vendor puts toward improving its product. A huge company with many products might direct only a fraction of its attention toward its antispyware tool, whereas a small company might stake its livelihood on the success of its product.

Of course, making these determinations—future potential, R&D dedication, overall company investment in a given product—isn't easy, and getting a straight story from a company's sales representative can be a feat in itself. Of the products reviewed, the offerings from CA and Sunbelt Software are best equipped to tackle today's spyware challenge. These two products also boasted the most impressive centralized management functionality, offering easy scanning, scheduling, alerting, and client-software deployment. Although DynaComm i:scan has a lot of flexibility for discovering and handling threats, its out-of-the-box functionality missed much of the spyware loaded on my test systems. Also lacking in the detection department are Omniquad AntiSpy Enterprise Edition and SpyCatcher Enterprise. These products have enticing qualities, but their primary functions of detecting and removing spyware—their most important feature, in the context of this comparative review—don't quite live up to those of their competitors.